Recent Criticism May Signal a Shift in Privacy Law Enforcement in the Canadian Healthcare Sector

In its continuing coverage of personal health information security, (See also “Are Medical Privacy Breaches a Concern for Canadians?”), ETIPS® explores how a recent review of the divergent enforcement strategies of the US and UK on personal health information security can serve to underscore the changing tide in the Canadian policy debate. In the UK, the trend has been towards publicizing the Government’s intolerance for personal health information violations with the frequent levy of small fines. In contrast, the US stance has been to invest resources into the investigation of large-scale breaches, commanding considerable fines and significant undertakings from guilty parties. In Canada, the Federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use or disclosure of personal information generally, though under s. 26(2)(b), the Governor in Council can exempt from the application of PIPEDA an activity or class of activities for which a province has passed legislation deemed substantially similar to PIPEDA. In Ontario, the Personal Health Information Protection Act (PHIPA) has been deemed substantially similar, and accordingly, governs in the healthcare sector in Ontario in place of PIPEDA. In Ontario, PHIPA allows for fines of up to $50,000 for individuals and $250,000 for companies if convicted of certain offences. However, the Ontario enforcement strategy has been markedly centred on corrective as opposed to punitive measures. Since its introduction, the Crown has not prosecuted an offence under PHIPA. Instead, the Ontario Information and Privacy Commissioner has made investigations and exercised its powers to order remedial measures and follow-ups. The statutory authority of the Federal Privacy Commissioner (FPC) to enforce PIPEDA is more limited, having no authority to make any binding order whatsoever. In this way, the role of the FPC is more akin to that of an ombudsman, a fact which current FPC Jennifer Stoddart recently criticized in an impassioned plea for new FPC powers to sanction offenders. With PIPEDA overdue for review, Parliament may consider Stoddart’s plea for reform and explore sanction as an integral part of a new national privacy law enforcement policy. Whether the FPC is granted new powers to sanction under PIPEDA, and whether such a change to the federal scheme would affect Ontario’s PHIPA enforcement posture, is an area to watch. Summary by: John Lucas